Network Security — Defending against DDoS

Not that many years ago when people heard the term "DOS", most thought of the old disk operating system that was needed to run your computer.  Today, the terms DoS (Denial of Service) and DDoS (Distributed Denial of Service) are becoming far too common in the news. US-CERT (United States Computer Emergency Readiness Team) describes Denial of Service this way: "In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services.”  And with our increasing reliance on the Internet in all sectors of our lives, these attacks have become more disruptive with time.

Large-scale DDoS attacks on the rise

While there is some debate over when the first DoS attack actually occurred (Did Watson really leave the receiver off the hook just to stop those pesky calls from Bell?),  the sad truth is that these attacks have become nearly ubiquitous on the Internet; and about 70% of reported attacks are targeted at infrastructure. In 2017, there were an average of over 22,000 attacks per day, and the trend is continuing to rise.  Year over year, the Internet has seen a 14% increase in the number of DoS attacks. The capabilities for creating large DoS attacks are growing even faster. Last year the largest recorded attack was about 641 Gbps. So far this year, there was an attack recorded peaking at 1.7 Tbps (that is 1700Gbps!) on March 5th.  So why are the attack sizes getting so much bigger and more frequent?

The most common method of creating large amounts of attack data is by distributing the efforts amongst many different attacking devices, hence the use of the term “Distributed” in DDoS.  Most of the larger DoS events we see these days are actually DDoS events involving thousands of attacking hosts. Sometimes these hosts are “willing” participants, but most often they are hosts that have been compromised with malicious software (viruses/worms) and controlled by some central entity, or they have known vulnerabilities or misconfigurations that allow them to be used as “reflectors” or “amplifiers” of seemingly legitimate requests that result in the flooding of data responses to the targeted victim.

Understanding that these larger attacks are directly related to the number of attack hosts that can be used, part of the growth can be explained by the Internet of Things (IoT). There have been several exploits deployed against IoT devices that have used these types of devices to cause some large and memorable DDoS events. Yes, that Internet connected toaster you bought may someday join in DDoS attacks. The Mirai and Reaper botnets are good examples of this. Mirai actually managed to infect over 600,000 devices at its peak, while the Reaper botnet made headlines in 2017, by targeting known vulnerabilities in IoT devices and there were indications of over one million affected organizations by October of 2017. In 2017 there were approximately 27 billion IoT connected devices, and that’s predicted to increase to about 127 billion by 2030; another reason that attack sizes are likely to continue to increase as well.

Another significant factor in the size of DDoS attacks is the discovery and availability of service vulnerabilities.  Certain legitimate services can be used in reflection attacks that amplify the attackers traffic to various degrees. Many well-known services have been used in this manner including NTP, DNS, Chargen, RIPv1, and most recently: memcached.  These services can result in amplification amounts of up to 51,000:1! The good news here is that most of these services can be hardened against use in attacks by configuration changes, software updates, and/or restricting access to the vulnerable services.

In addition to the technical aspects enabling large DDoS attacks, the ease of launching attacks has also advanced.  There are many for-hire services, known as booster/stressers, which utilize resources and attack vectors managed by online groups to launch attacks at a requested target, for a price. These services are generally inexpensive, require little to no technical skill to utilize, and they appear to be profitable to their owners. Brian Krebs reported that a couple of teens:

MCNC is here to help

Despite the size and scope of DDoS attacks, there are things that can be done to manage or mitigate their impact. MCNC has implemented a DDoS mitigation system to provide some level of protection to our customers from this growing threat.  The Network Management Team, in concert with the NCREN NOC and Network Engineering, continuously monitor for malicious traffic and can activate countermeasures as needed to protect our customers and network. While MCNC can help detect and protect our constituents from the full impact of these devastating attacks, security experts still recommend a multi-layered approach to defenses. Regular review and maintenance of firewall policies, system and software updates, and the use of intrusion detection/prevention systems are important measures of protection from being used as a source of DDoS attacks; as well as protection against certain attacks targeting specific applications.

If you are connected to NCREN and interested in what protection MCNC can provide for your network: